Im-Soohyun

**Name of the Vulnerable Software and Affected Versions** Flowise versions prior to 3.0.13 **Description** Flowise has a flaw where the /api/v1/attachments/:chatflowId/:chatId endpoint allows unauthenticated access to the file upload API because it is included in the WHITELIST URLS. The server trusts the client-provided Content-Type header without verifying the file's actual content or extension, allowing attackers to bypass file type restrictions by spoofing the Content-Type. Once uploaded via `addArrayFilesToStorage`, these files are stored in backend storage (S3, GCS, or local disk). This can lead to Stored XSS, malicious file hosting, or Remote Code Execution (RCE) if chained with other features. The vulnerability is related to the improper handling of file uploads and the lack of content validation. **Recommendations** Versions prior to 3.0.13 should be updated to version 3.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** WeKnora versions prior to 0.2.5 **Description** WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, a command injection vulnerability exists that allows authenticated users to inject values into MCP stdio settings, specifically through `stdio config.command/args`. This allows the server to execute arbitrary subprocesses using these injected values. The vulnerability stems from missing security filtering on the `stdio config.command/args` parameters, a trust boundary violation where configuration data is directly used in execution flows without validation, and a lack of authorization controls. The vulnerable API endpoint is `/api/v1/mcp-services/{id}/test`. A proof of concept demonstrates the ability to execute commands, such as 'id' and 'uname -a', on the server by creating a file `/tmp/RCE ok.txt`. Successful exploitation could lead to remote code execution, information disclosure, and potentially privilege escalation or lateral movement depending on the environment. **Recommendations** Update WeKnora to version 0.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 11.14.0 **Description** Directus is a real-time API and App dashboard for managing SQL database content. An open redirect exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter, intended to preserve the user's original destination, is not validated for redirect targets during the callback process, allowing an attacker to redirect users to an arbitrary external URL upon authentication completion. This can be exploited without authentication and is present in both success and error handling paths of the callback. **Recommendations** Versions prior to 11.14.0 should be updated to version 11.14.0 or later.

**Name of the Vulnerable Software and Affected Versions** Langflow versions prior to 1.7.0 **Description** Langflow is a tool for building and deploying AI-powered agents and workflows. The API Request component allows issuing arbitrary HTTP requests within a flow. Prior to version 1.7.0, the component performs limited validation of user-supplied URLs, failing to block access to private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254). This allows for non-blind Server-Side Request Forgery (SSRF) attacks via the flow execution endpoints ''/api/v1/run'' and ''/api/v1/run/advanced'', which can be accessed with an API key. An attacker controlling the API Request URL can access internal resources, including administrative endpoints, metadata services, and internal databases, potentially leading to information disclosure and further attacks. The vulnerable component uses a user-supplied URL (`url`) and sends the request using an httpx client. **Recommendations** Versions prior to 1.7.0 should be updated to version 1.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Flowise version 3.0.7 **Description** Flowise, a drag & drop user interface for building customized large language model flows, contains a file upload issue. Authenticated users can upload arbitrary files without proper validation, enabling attackers to persistently store malicious Node.js web shells on the server. The system does not validate file extensions, MIME types, or file content during uploads. Uploaded shells expose HTTP endpoints capable of executing arbitrary commands if triggered. The uploaded shell does not automatically execute, but its presence allows future exploitation via administrator error or chained vulnerabilities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lobe Chat versions prior to 1.130.1 **Description** Lobe Chat, an open-source artificial intelligence chat framework, has an issue in its OIDC redirect handling logic. The logic builds the redirect URL’s host and protocol using the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. If a reverse proxy forwards client-supplied X-Forwarded-* headers without validation, or if the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect to a malicious domain. **Recommendations** Update to Lobe Chat version 1.130.1 or later.